Export GPO to apply to Local Policy

Amraam

Amraam

Amraam

Soldato
Joined
5 Jan 2009
Posts
4,760
Bit of a daft situation, but we currently have ~400 PCs in an AD. We have another site that we support that is on it's own private BT line so we can not manage them remotely or have them in AD. So, locking them down for public use is going to have to rely on local policies using gpedit. Now, rather than rebuilding it all again from scratch, can I export the polices from GP Management and apply it locally to the PCs using GPedit?

Thanks!
 
LocalGpo tool should do what you are after. Not sure if its a single download as I have always used it in conjunction with Microsoft security compliance manager (free tool)
 
should have said, any specific policies say based on domain security groups will not function. If in doubt run it through microsoft security compliance manager first
 
Bry said:
should have said, any specific policies say based on domain security groups will not function. If in doubt run it through microsoft security compliance manager first
Click to expand...

I don't think there are any working off of groups. I realise it's not going to be a simple task at all, but I'll give it a go. What makes it even worse is the fact that the existing clients are XP, but these new ones that are off the network are Windows 7. Obviously they exist in Domain Computers, but I presume that SCM program takes care of such things. There are a lot of GPs that won't need to be added such as WSUS servers etc, and at least I won't need to worry about answer files and sysprepping, as they'll just be in a work group.
 
Last edited:
Well I gave up. There were so many GPOs and policies, many of which are non applicable, so I just started building local policies from scratch. Just need to work out how to stop users from saving files of any sort to the users folder (C: is already hidden) so that they can only write to their own USB drive if they need to save anything...
 
Why can't you manage them remotely or use AD? VPN back to your main site (or MPLS if you have the money), use AD sites to map the subnets to locations, drop a domain controller in. Or if you don't have a suitable place to put a server, use Azure.
 
Caged said:
Why can't you manage them remotely or use AD? VPN back to your main site (or MPLS if you have the money), use AD sites to map the subnets to locations, drop a domain controller in. Or if you don't have a suitable place to put a server, use Azure.
Click to expand...

Because money. They are volunteer ran sites, so the whole reason they dropped the WAN link in favour of their own BT line was budgetary. If they're not paying us to do it, it aint happening basically. I'm going to speak to my boss again as this is such a ridiculous way of achieving things in the 21st century... The libraries are paying for an SLA, so what cost is it to just have them on our network as they always were...
 
Yeah give up, the time costs in having to be responsible for the support of a bunch of non-domain joined PCs must surely outweigh the costs of a VPN and DC at each location?
 
Caged said:
Yeah give up, the time costs in having to be responsible for the support of a bunch of non-domain joined PCs must surely outweigh the costs of a VPN and DC at each location?
Click to expand...

Yup I agree, but the customer seems to have made the decision on our behalf but my boss is kind of stuck. It's a **** situation but we kind of have no choice. High up people are demanding it...
 
You must log in or register to reply here.
Back
Top Bottom